Typical network control architecture of today includes several major components working in cooperation in order to enable service provisioning.
FIG. 1 illustrates basic network architecture.
As illustrated in FIG. 1, user equipment is connected to the Access Network (8), attached to the Access Gateway (2), managing users access to the Backbone (also called Core) Network (7). Connecting procedure is managed by the access gateway (2) and includes configuration of the user's equipment (1) assisted by DHCP (dynamic host configuration protocol) Server (3) user authentication and authorization assisted by AAA (Authorization, Authentication and Accounting) Server (4).
Both DHCP and AAA server in their operation may query user details, stored in subscriber profiles repository (6).
User equipment (i.e. clients) parameters are usually utilized for creating credentials enabling un-ambiguous user identification. User equipment may be a mobile phone device, a PDA, a personal or portable computer, or any other electronic device capable and configured for carrying out communication with other devices. User equipment parameters can be e.g. Phone Number, MAC address, physical Port, Virtually Private Network ID, etc.
User must be registered in the Subscriber Profiles Repository before getting network access. Registration is made with respect to a single type of connection and thus enables the access to a single type of connection. User information can be entered by customer relationship management (CRM) systems and stored in the dedicated data bases (so called SPR—Subscriber Profiles Repository). When Access Gateway (2) receives an access request, sent from a client, during user login, the user's credentials (also referred to as subscriber's credentials) are retrieved from the access request and compared with those stored in the SPR. If the credentials are identical, access is permitted to the network, via the type of connection corresponding to the credentials. In some networks (typical for the networks with promiscuous access, like Wi-Fi) User Portal (5) can be used for interactive entering access credentials. In other cases (fixed connection, like DSL or Cellular) user credentials can be retrieved from the connection details (port, user equipment permanent unique settings, such as MAC address) incorporated into the request by the access side equipment (e.g. DSL modem, Digital Serial Line Multiplexer, etc.).
Network access gateway (2) (also called access controller) (such as GGSN (Gateway GPRS (General Packet Radio Service) Support Node) via AAA (Authorization, Authentication, Accounting) Server, etc. are intensively accessing the SPR in order to manage user access, sessions and services.
AAA, SPR, DHCP & other applications, create closed and protected environment (may also be referred to as Provider's Back Office). Back Office is usually coupled with appropriate network type (Cellular, DSL, Wi-Fi, etc.). Thus, in case when a service provider manages several networks of the different access types, each one will be served by dedicated backoffice environment. Accordingly, in order to access several core network of different access types a user must be registered to number of backoffice SPR each corresponding to the different access types.
Modern user equipment such as cellular phone, laptop, etc. has several network adapters and able to support different types of connections, such as GPRS, Wi-Fi, Wi-Max, etc. In many cases, such as, restricted connectivity in appropriate location, network node congestion, high cost of the traffic, and the like, a user may wish to, take advantage of the ability to utilize different types of connections and connect to a network over feasible alternative (also called Visited network) network available in the area, or to switch between the network connections in the area, where available. Switching between network connections can be, for example, between any one of Cellular to Wi-Fi, Cellular to Wi-Max, Wi-Fi to Cellular, Wi-Fi to Wi-Max, etc.
Switching could also be performed between the networks of the same type, running by different providers as well, i.e. Wi-Fi_1 to Wi-Fi_2, or Cellular_1 to Cellular_2. All of the mentioned switches depend on device properties, and its support in the different kind of network connection.
In the following discussion the term “Home Network” is used to refer to a network in which the user is registered. The term “Visited Network” is used to refer to a network in which the user is not registered.
As explained, a user must be registered in the SPR(6) of the appropriate Home Network with respect to one or more types of network connection, before attaining network access.
In cases where a user attempts to access a network via visited network, to which he is not registered, visited network control engines query home network controllers for temporary credentials. The temporary credentials are used for user authentication in respect of a single session only, and once connection is terminated, the temporary credentials are destroyed in the visited network. Any future attempt, to access the visited network, made by the same unregistered user, will require the user to go through the same procedure of using the temporary credentials.
As shown in FIG. 2, A user tries to connect visited network (to which he is not registered in), using user equipment. In this example the visited network is WiFi network.
Access controller 2.2 looks in the local SPR 2.6.2 and if the user's credentials such as phone number, MAC address, ID, etc. which are provided within the query, are not found in the local SPR 2.6.2, home network controller 2.1 will be queried for the appropriate credentials.
Credentials, accepted from the home network are used in user Authentication and Authorization. For example user may be prompted with WEB page and asked to enter user ID and Password (same as in home network or dedicated one time ID and Password allocated for login in the visited network).
After Authentication procedure is completed, users credentials are destroyed in visited network, so that next time network controllers and user will need to go through the same procedure again, i.e. ask home network for the credentials.